What are LSA secrets?

LSA secrets is a special protected storage for important data used by the Local Security Authority (LSA) in Windows. LSA is designed for managing a system's local security policy, auditing, authenticating, logging users on to the system, storing private data. Users' and system's sensitive data is stored in secrets. Access to all secret data is available to system only. However, as shown below, some programs, in particular Windows Password Recovery, allow to override this restriction.

What is stored in LSA secrets?

Originally, the secrets contained cached domain records. Later, Windows developers expanded the application area for the storage. At this moment, they can store PC users' text passwords, service account passwords (for example, those that must be run by a certain user to perform certain tasks), Internet Explorer passwords, RAS connection passwords, SQL and CISCO passwords, SYSTEM account passwords, private user data like EFS encryption keys, and a lot more. For example, the NL$KM secret contains the cached domain password encryption key. L$RTMTIMEBOMB stores the amount of time left until the expiration of an inactivated copy of Windows. L$HYDRAENCKEY stores the public RSA2 key used in the Remote Desktop Protocol. Incidentally, even despite the fact that the automatic login is not set, in certain versions of Windows 7 secrets can contain the plaintext of the administrator account password, thus compromising the entire target system.

Where are LSA secrets stored?

LSA secrets are stored in an encrypted form in the Windows registry, in the HKEY_LOCAL_MACHINE/Security/Policy/Secrets key. The parent key, HKEY_LOCAL_MACHINE/Security/Policy, contains the additional data, necessary for accessing and decrypting the secrets. Here are the descriptions of some values of this key.

LSA Secrets in detail

On the physical level, secrets are stored in a binary registry file SECURITY with the secret name for the key. For example, Security/Policy/Secrets/$MACHINE.ACC. Each secret in the registry is represented by five values:

CurrVal - current encrypted value of the secret.

CupdTime - last update time, as an 8-byte FILETIME structure.

OldVal - previous value of the secret.

OupdTime - previous update time.

SecDesc - security descriptor, i.e. which users can access the secret, and which are banned from accessing it.

If the system is unable to read/decrypt one of the secrets, it writes the sixth value in it, PolMod, which indicates that the secret is damaged. For example, if a transaction to the LSA database was not completed due to a power outage or registry file damage.

CurrVal and OldVal data structure

Beginning with version 1.9, the structure of secrets has changed dramatically; therefore, we are not going to cover the old format. Instead of a single encryption key, now you can bind each secret to any value on the encryption key list (PolEKList). There is also an option to select an encryption algorithm! So, the first 4 bytes in the data structure is the version of the data; then there follows a 16-byte encryption key identifier for locating the necessary key on the list. That is followed by a DWORD with an identifier for a list of encryption algorithms the secret is encrypted with. For example, the value 3 matches a bundle of the SHA-256 hashing algorithm and the AES-256 block encryption algorithm. The algorithm identifier is followed by a 4-byte value with different flags used during the decryption. And, finally, there goes the encrypted data. See the figure.

Encrypting LSA secrets in Windows 2000, XP, 2003

Up to Windows Vista, the decryption of the secrets looked rather trivial. First, one needed to decrypt the secrets encryption key. Here is what it looked like:

Where m_pSyskey - 16-byte SYSKEY value;m_pCypherKey - value from the registry key HKEY_LOCAL_MACHINE/Security/Policy/PolSecretEncryptionKey
Once the secrets encryption key was obtained, one could proceed to the decryption of the secrets. The secrets were encrypted using DES algorithm.

Encrypting secrets in Windows Vista, Windows 7

In Windows Vista (and higher OSes), the encryption algorithm, as it was mentioned earlier, has become much more sophisticated. First, one still needs to decrypt the list of the encryption keys (yes, now multiple keys are allowed), stored in HKEY_LOCAL_MACHINE/Security/Policy/PolEKList. Then proceed to the actual secrets. Each secret now stores a key identifier, encryption algorithm identifier and the actual encrypted data. A working algorithm for decrypting the key looks like:

Read the key value and find the encryption key identifier.

On the list of encryption keys (PolEKList), find the necessary key using the identifier you obtained earlier.

Decrypt the secret using the algorithm identifier and the found key.

Thus, secrets in the LSA database can be not only encrypted with different algorithms, but also have different original context. For example, use SYSKEY from other PC.

Reading and editing secrets

There is a set of API for handling secrets available to software developers. Thus, any Windows application can create and read its own secrets, but only within the boundaries of current user context. See application 1 with the source code for reading secrets. If you require viewing or editing LSA secrets, for instance, to delete your account's text password, you can take advantage of Windows Password Recovery tool, which has a convenient plugin for handling LSA secrets. By the way, this plugin works with both current operating system's secrets and with external registry files.

Appendix

1. Source code of the program for reading LSA Secrets. Note that not all secrets can be read under user context. Besides, the Administrator privileges are required. The executable of the program can be downloaded at the following link.

I keep getting this error whenever I try editing or adding a scret using the LSA plugin:

Any ideas how to fix this ?

Can't get service execution result: service error (Loader error #-1)

RE: LSA plugin in Windows Password Recovery

posted by Admin at 09:48:17 02.09.2015

This error is usually caused by AV software.
When adding/removing a secret, the program uses it's service to inject a DLL into LSA process. The error -1 means that there were some troubles allocating memory in LSA process. Something is preventing the LSA process from being modified.